NSA uncovers ties between North Korea and WannaCry attacks

The National Security Agency said that tactics, techniques and targets of the massive ransowmare assault point to North Korea’s spy agency: the Reconnaissance General Bureau
By Jessica Davis
11:36 AM
WannaCry ransomware north korea

The National Security Agency has found with ‘moderate confidence’ ties between the North Korean government and the WannaCry ransomware campaign that hit about 150 countries and more than 300,000 devices in May, according to the Washington Post.

The NSA analyzed tactics, techniques and targets that point to the Reconnaissance General Bureau -- North Korea’s spy agency. It’s suspected that RGB sponsored the cyber actors behind the two versions of WannaCry.

The assessment was issued last week internally and has not been made available to the public.

[Also: Hospital survival guide for a world overflowing with unsecured medical devices]

WannaCry is based on NSA hacking tools leaked by an anonymous group called the Shadow Brokers. The virus was the first worm to be coupled with ransomware. While WannaCry appears to be an attempt to raise money for the North Korean regime, the incident was severely flawed.

Despite locking down computers across the globe, the hackers only raised about $140,000 in bitcoin. And they have yet to cash in on the amount due to an operational error that makes the transactions easy to track.

While the assessment isn’t conclusive, the evidence of North Korea’s involvement is mounting. Security firm Symantec found a strong technical link between the ransomware and the hacking group Lazarus, which is thought to have ties to North Korea.

[Also: Unsecured medical devices: Healthcare's new warning call]

Google Security researcher Neel Mehta also noticed a similar connection, as did Kaspersky Labs and BAE systems.

With Rapid7’s National Exposure Index finding 160 million computers, servers and IoT devices with open ports exposed to the public, and 5.5 million internet-connected devices with exposed SMB port 445 vulnerabilities like the one exploited in the WannaCry attack, it’s time for hospitals to patch or update outdated devices.

A nation-state connection means it’s likely there will be more of these attacks in the future. And while the U.S. only had two impacted hospitals, HHS Deputy Chief Information Security Officer Leo Scanlon said the U.S. just got lucky that it wasn't affected as much as other countries.

“There’s a great deal of analysis to determine what happened and why,” Scanlon said at a June 8 House Energy and Commerce Committee. “I don’t believe we were spared the spread: We were spared the impact.”

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn